File level security for a metadata controller in a storage area network
First Claim
1. A method for accessing blocks of data in a shared storage which is accessed via a storage gateway, said accessing including the steps of:
- establishing a metadata file system control data structure on at least one of a plurality of metadata controller nodes;
providing, from one of said metadata controller nodes, permission to an application node, to access said blocks of data using metadata file control information transferred from at least one of said metadata controller nodes to said application node, said permission having a time limited duration;
providing to said storage gateway a list of said disk blocks and identification of the application node which is permitted to access said blocks;
requesting, by said application node, access to said blocks of data, said request being made through said storage gateway; and
verifying, within said storage gateway, the validity of said request by comparison with metadata file control information communicated to said gateway from at least one of said metadata controller nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
A storage gateway is employed as part of a security enhancing protocol in a data processing system which includes at least one metadata controller node and at least one application node which is granted a time limited access to files in a shared storage system. The gateway is provided with information as to data blocks to which access is to be allowed and also with information concerning the duration of special access granted to a requesting application node. This insures that metadata cannot be improperly used, changed or corrupted by users operating on an application node.
181 Citations
6 Claims
-
1. A method for accessing blocks of data in a shared storage which is accessed via a storage gateway, said accessing including the steps of:
-
establishing a metadata file system control data structure on at least one of a plurality of metadata controller nodes;
providing, from one of said metadata controller nodes, permission to an application node, to access said blocks of data using metadata file control information transferred from at least one of said metadata controller nodes to said application node, said permission having a time limited duration;
providing to said storage gateway a list of said disk blocks and identification of the application node which is permitted to access said blocks;
requesting, by said application node, access to said blocks of data, said request being made through said storage gateway; and
verifying, within said storage gateway, the validity of said request by comparison with metadata file control information communicated to said gateway from at least one of said metadata controller nodes. - View Dependent Claims (2, 3, 4)
-
-
5. A multinode, shared storage data processing system in which a first set of nodes is capable of acting as metadata controller nodes and a first node from said first set of nodes so acts to provide access to an individual file in said shared storage, said access being provided so that access occurs from a second node, not within said first set of nodes, which has time limited access to said file but which does not act as a metadata controller for said file, said data processing system including a storage gateway through which said access to said shared storage is provided, said gateway having a memory containing program code for performing the step of comparing an access request from said second node with metadata control information provided to said gateway from one of said metadata controller nodes.
-
6. A program product comprising a machine readable medium containing program code, for use in a multinode, shared storage data processing system in which a first set of nodes is capable of acting as metadata controller nodes and a first node from said first set of nodes so acts to provide access to an individual file in said shared storage, said access being provided so that access occurs from a second node, not within said first set of nodes, which has time limited access to said file but which does not act as a metadata controller for said file, said data processing system including a storage gateway through which said access to said shared storage is provided, said gateway having a memory containing program code for performing the step of comparing an access request from said second node with metadata control information provided to said gateway from one of said metadata controller nodes.
Specification